Rethinking ADMT Password Migration with Better Alternatives

Approved By Anuraag Singh

Published On January 5th, 2024

Reading Time 6 Minutes Reading

Category Active Directory

Summary: Understand why ADMT password migration is not the best choice. Find the reasons for its inferiority in the professional setting. Moreover, get a complete outline on how to complete user password migration with the help of a professional tool.

The need to use ADMT for moving preexisting passwords of current users is not new. Whenever there is a major structural change inside an organization that uses an AD, infrastructure migration is one of the first steps that an admin undertakes.

Therefore, many of those companies that are undergoing mergers or acquisitions need to move their active directory passwords as well. So in this blog, you will find the traditional approach followed by the quick and effective tool that makes the migration easy.

However, we can’t fully set our sights on the various approaches before discussing some key aspects first. So let us discuss what options exist for admins who have to move passwords from one domain to the other.

Choices During ADMT Password Migration

Not all organizations need to move the old passwords with the users. In an interdomain data transfer AD admins can choose one of the following

Keep All Passwords Intact: In this type of migration, admins decide to maintain all the source-side passwords.

All the passwords are then replicated for each and every user migrated onto the new domain.

However, admins must be vigilant as this can introduce security vulnerabilities inside the Active Directory. Moreover, another reason why experienced admins don’t recommend this practice is that it increases the chance of username/password mismatch.

Leave the Passwords Behind: This option is better for security reasons and may be the only available option in many industries.

However, even here if proper procedure is not maintained the old passwords may be used to create backdoor entries into the newly migrated AD.

So admins must take special care to disable access via the old credentials. Moreover, users and other stakeholders must be informed about the change in their training period.

This is to avoid accidental account locking due to multiple incorrect password attempts.

How to Migrate Passwords Using the ADMT?

ADMT itself has no provision to move password data which is why Microsoft developed a separate solution called the Password Export Server. Below is a stage-wise separation to complete the task manually:

Stage 1. Setting Up SQL & ADMT on ADMT-Server (T-ADMT)

Open target AD-Server, fetch a copy of the ADMT tool, and repeat SQL Server.

Tip: Just use the default on-screen settings for SQL Server installation. Make sure SQL installation is complete before proceeding with ADMT. This is because you need to use the SQL Server instance inside the ADMT.

Next, make a new encryption key on the same ADMT via the command below:
admt key /option:create /sourcedomain:source.local /keyfile:”c:\KEY.pes” /keypassword: your-password
Then, adjust the source domain and key password as needed.
Move the newly created key to the domain controller present at source (S-DC).

Stage 2. Setting Up PES on Source Domain Controller (S-DC)

Get a copy of Password Export Server and set it up on your source DC.
Use the previously created key when prompted.
Provide the required password for confirmation.
Log in with either Source or Target Domain Administrator credentials.
Restart S-DC and manually initiate the PES service.

Stage 3. Cross-Domain Administrator Group Assignment

Include TD\Azureuser in the source domain Administrators group and SD\Azureuser in the target domainAdministrators group.

Stage 4. Complete ADMT Password Migration with all Users

Open ADMT on T-ADMT.
Navigate to the User Account Migration Wizard.
Specify the source and target domains.
Select the desired users for migration.
Set the target Organizational Unit (OU).
Opt to migrate passwords.
Follow the on-screen prompts and instructions.
Ensure the migration completed successfully.

Drawbacks of Using ADMT for Password Migration

ADMT works significantly better in single forest deployments. However, when migration is between domains that are located inside two different forests the following problems may occur.

ADMT 3.1 PES installation fails with error: The supplied password does not match this encryption key’s password

Possible reasons include:

Typed in the wrong security key.
Generated the key on a different computer from where the ADMT is present.
PES configuration is not at par. Some modules might be missing.

WRN:7557 Failed to copy the password for user. A strong password has been generated instead. Unable to copy password. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Here the ADMT does not accept the previous password as being valid so it makes the password on its own.

Alternative Tool for Active Directory Password Migration

SysTools Active Directory Migration Tool is the best-in-class cross-forest AD migration solution that any organization needs. With a strong emphasis on ease of use the tool also complies with the latest data security directives. Moreover, all these combined with the most price-effective model make the tool a necessary partner for all AD transfers.

Download Now Purchase Now

Follow these steps to use the tool:

Step 1. Launch the tool, and type the default credentials (Administrator) to access the tool.

Enter Credentials

Step 2. Navigate to the domain controller registration section. Enter the Domain Friendly Name and its corresponding IP Address, then click ” Save & Continue “.
Register Domain Controler

Step 3. Within the Info segment, provide the Admin User and its associated password. Click ” Save & Continue “.
First Domain Credentials

Step 4. Move to the Active Directory section and fetch all objects related to the source domain.
Fetch Active Directory Objects

Step 5. Repeat the previous step for the target domain , ensuring all relevant details are captured.
Object Visible

Step 6. Within the Migration segment, select “ Create Migration Scenario ”. Name the migration and choose endpoints from the dropdown menu.
Create Scenario

Step 7. Navigate to the “ Task ” section and choose the “ Create Task ” option. Configure the desired settings for the destination domain.
Save Task

Step 8. After finalizing object choices, click ” Create ” and proceed with this alternative to ADMT password migration.
Select Action

Step 9. On the preview dashboard, map the objects accordingly. Click ” Start Task “, then confirm the action in the subsequent window by clicking “Start”.
Click Start

Why the Tool is Best Suited for Password Migration in Active Directory

Apart from being the top choice to migrate users and computers from one forest to another , the tool contains the following provisions.

No Password Handling: With this admins can skip the trouble of migrating AD passwords across domains.

Password Sync: For admins who set up new passwords before migration this option allows them to sync the new passwords with the destination domain.

Set Existing Password: Use the option when you want to reuse old passwords.

Set Default Password: Here users get a temporary custom password that can be used to verify the migration.

These are especially built in to tackle the password migration problems posed by the manual methods.

Conclusion

In this blog, we covered the ADMT password migration in its entirety. Not only this but we also exposed when and where the manual method lags. Moreover, in a professional setting, any delays have direct monetary consequences, so users may think twice before opting for the ADMT method of password transfer. Additionally, for the user’s comfort, we gave a tutorial on the professional alternative as well.